Indicators of Compromise

3 minute read

Top 15 IoCs

Below are the Top 15 Indicators of Compromise from DarkReading that I’ve compressed as a quick reference guide.

  1. Unusual Outbound Network Traffic
    • analyse traffic leaving the perimeter
    • compromised systems often call home to C2
  2. Anomolies in Privileged User Account Activity
    • keep an eye on unusual account behaviour
    • accounts with new/unauthorised privs/perms
  3. Geographical Irregularities
    • logins/access patterns
    • account logging in from multiple IPs in a short period of time
    • geolocation tagging
  4. Other Login Red Flags
    • failed logins for accounts that don’t exist
    • consecutive failed logins
    • account lockouts
    • logins after hours
  5. Swells in Database Read Volume
    • attacker has access and is looking for the crown jules
    • successful SQLi
  6. HTML Response Sizes
    • much larger than normal response
    • may indcate successful file disclosure, RCE, SQLi etc.
  7. Large Numbers of Requests for the Same File
    • attacker trying different web payloads/manipulating requests
    • Suspicious to pages like login.php, join.php etc.
  8. Mismatched Port-Application Traffic
    • attackers take advantage of obscure ports to bypass web filtering
    • C2 traffic can be masquerading as normal application behaviour
    • DNS requests over port 80 etc.
  9. Suspicious Registry or System File Changes
    • establishing persistance through registry changes
    • changes in system files/configurations
    • create a baseline when dealing with registry based IoCs
  10. DNS Request Anomalies
    • C2 traffic and DNS exfil can be very loud
    • spike in DNS requests from a specific host
    • patterns of DNS requests to external hosts
    • compare against geoIP and IP reputation data
  11. Unexpected Patching of Systems
    • attacker locking down a system so others can’t pwn
  12. Mobile Device Profile Changes
    • unusual changes to mobile users’ device settings
    • watch for replacements of normal apps
    • new configuration profiles
    • mitm, social engineering, etc.
  13. Bundles of Data in the Wrong Places
    • attackers aggregate data at collection points
    • exfil data from system at these collection points
    • files in unusual locations should be scrutinized
  14. Web Traffic with Unhuman Behaviour
    • 20-30 browser windows open simultaneously
    • click-fraud malware families may generate noisy volumes of web traffic in short bursts.
  15. Sings of DDoS Activity
    • DDoS used as smokescreens to camouflage other attacks.
    • Signs of DDoS
      • slow network performance
      • unavailability of websites
      • firewall failover
      • back-end systems working at max capacity for unknown reasons
    • don’t just worry about those immediate problems
    • DDoS attacks overload security reporting systems
      • IPS
      • IDS
      • SIEM
    • review DDoS attacks for data breach activity


Network Symptoms

  • Bandwidth utilisation
    • attackers can hide data exfil in peak times
    • hard to detect in typical network chatter
    • analyse endpoints and connection directionality
  • Beaconing
    • behaviour can be detected in two ways
      • periodicity
      • destination
    • malware can randomise beacon periods/dest address
    • brief connections
    • endpoint analysis
      • communication regularity with other hosts
  • Irregular Peer-to-Peer Communication
    • unprivileged accounts connecting to other hosts
    • privileged accounts connecting from regular hosts
    • multiple failed remote logins
    • context matters
    • does user have legit reason to connect from host to resource?
  • Rogue Devices
    • know what’s on your network
    • hardware and software asset management/asset awareness
    • hardware asset inventory
    • NAC ensures device authenticated, scanned and appropriate
    • NAC allows implementation of policies
  • Scan Sweeps
    • nmap/ping sweeps etc.
    • one host generating large amount of connection attempts to multiple nodes
    • pay attention to ARP messages
    • scan sweep can generate a lot of ARP queries

Host Symptoms

  • Running Processes
    • “malware can hide, but it must run”
    • ps, top, tasklist /v, task manager
    • know what is normal
    • baseline hosts and make not of normal processes on a healthy host
    • attackers can use names similar to normal processes
    • note CPU cycles
  • Connections
    • malware can utilise network sockets
    • netstat -ano
    • netstat -v
    • netstat -nap
  • Memory Contents
  • File System
    • evidence of actions often left
    • system/configuration file changes
  • Unauthorized Software
    • illicit binary executables
    • possible to bypass signature and behavioural detection systems
    • list authorised programs each computer is allowed to run
    • white/blacklisting
    • list software installed on every computer
    • software asset inventory
  • Unauthorized Changes
    • malicious DDLs
      • require elevated privs
    • logging of access/changes in files/sensitive folders
    • hashing important files that aren’t meant to be changed
    • Tripwire
    • object access auditing
      • event for read, modification, creation and deleting of file in audited space
    • Windows Event Forwarding
    • Sysmon
    • Rsyslog
  • Data exfiltration
    • staging locations for data to be sent out
    • data build up in random places
    • exfil attempts to mimic accetable communications (web, mail, dns)
    • can be encrypted
    • connection looks legit
      • volume and endpoint will not
    • set alerts to trigger for large transfers
    • NetFlow analysis
    • DLP
  • Resource consumption
    • memory
    • CPU cycles
    • disk space
    • network bandwidth
    • when/where would spikes occur normally?
    • what are they indicative of?
  • Unauthorized Privileges
    • odd behaviour for privileged account
    • monitor activities
    • prioritise protection of info assets
      • contain suspicious user/system
      • isolate any active sessions
      • disable/suspend suspected account if required